Fix for bug 290100 (XMLHttpRequest affected by document.domain setting). r=caillon, sr=brendan.

caps/src/nsScriptSecurityManager.cpp

@@ -830,13 +830,21 @@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal(nsIPrincipal* aSubject
 
     nsCOMPtr<nsIURI> subjectURI;
     nsCOMPtr<nsIURI> objectURI;
-    aSubject->GetDomain(getter_AddRefs(subjectURI));
+    if (aIsCheckConnect)
-    if (!subjectURI) {
+    {
+        // Don't use domain for CheckConnect calls, since that's called for
+        // data-only load checks like XMLHTTPRequest (bug 290100).
         aSubject->GetURI(getter_AddRefs(subjectURI));
+        aObject->GetURI(getter_AddRefs(objectURI));
     }
+    else
+    {
+        aSubject->GetDomain(getter_AddRefs(subjectURI));
+        if (!subjectURI)
+            aSubject->GetURI(getter_AddRefs(subjectURI));
 
         aObject->GetDomain(getter_AddRefs(objectURI));
-    if (!objectURI) {
+        if (!objectURI)
             aObject->GetURI(getter_AddRefs(objectURI));
     }
 
@@ -851,9 +859,8 @@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal(nsIPrincipal* aSubject
         // DNS spoofing based on document.domain (154930)
 
         // But this restriction does not apply to CheckConnect calls, since
-        // that's called for data-only load checks like XMLHTTPRequest, where
+        // that's called for data-only load checks like XMLHTTPRequest where
-        // the target document has not yet loaded and can't have set its domain
+        // we ignore domain (bug 290100).
-        // (bug 163950)
         if (aIsCheckConnect)
             return NS_OK;
 
@@ -892,9 +899,7 @@ nsScriptSecurityManager::CheckSameOriginDOMProp(nsIPrincipal* aSubject,
                                                    aIsCheckConnect);
     
     if (NS_SUCCEEDED(rv))
-    {
         return NS_OK;
-    }
 
     /*
     * If we failed the origin tests it still might be the case that we